Paul Floyd [Wed, 8 Apr 2026 06:30:45 +0000 (08:30 +0200)]
FreeBSD regtest: rename a C variable
One FreeBSD test was using a varaible called 'nullptr'.
clang 22 now complains about that because it is a reserved
keyword in C 23. Rename it to 'nullpointer'.
Paul Floyd [Sun, 5 Apr 2026 15:29:43 +0000 (17:29 +0200)]
FreeBSD arm64: fix do_syscall_WRK
Back in Sept 2025 this function was refactored a bit because
is was being passed an argument that was never used. That
shifted down the sysno by one slot. Because I can't count
I changed it from moving from the stack to moving from x9
into x8. The source should be x7. This worked by accident
in optimised builds probably because sysno was in x9
from an earlier function that shuffles the arguments.
Paul Floyd [Sat, 4 Apr 2026 20:17:02 +0000 (22:17 +0200)]
FreeBSD regtest: filters for source installs of FreeBSD
It looks like cfarm427 and cfarm430 are installed from source.
That changes some of the error callstacks (due to generated
filenames and paths in the source build). This adds filters
for the syscalls.
I'm still seeing quite a few helgrind and massif fails.
Paul Floyd [Fri, 3 Apr 2026 19:05:50 +0000 (21:05 +0200)]
Bug 518482 - FreeBSD: assert in parse_procselfmaps when built with GNU binutils
parse_procselfmaps rewritten to not use any hard coded counts.
Previously the code was counting mappings from sysctl KERN_PROC_VMMAP
and when it saw the host rx mapping it was saving state for the next
pass in the loop, which it was assuming would be the rw segment
mapped to swap. The counts were hard coded for GCC and clang and
assumed GCC used ld.bfd and clang used ld.lld. That assumption
is not safe.
Now the code uses a lookahead. Something that I had not previously seen
is that the host RW PT_LOAD can be partially or wholly mapped as swap.
The lookahead checks for the first rw swap mapping that follows
an RX file mapping (RW wholly mapped as swap) or an RW file
mapping (RW partially mapped as swap). The first time that condition
is met the RW swap mapping will also be recorded as if it were a
file mapping. The current iteration then skips two kinfo_vmentry
records rather than one.
Andreas Arnez [Thu, 2 Apr 2026 11:20:44 +0000 (13:20 +0200)]
memcheck: Small simplification when ANDing guard conditions
Memcheck's complainIfUndefined() function contains logic where a Boolean
AND is "emulated" by converting both operands to I32, applying Iop_And32,
and converting the result back to I1.
Since Iop_And1 was introduced a while ago, just use that directly instead.
Mark Wielaard [Wed, 18 Mar 2026 17:18:38 +0000 (18:18 +0100)]
Add PTEST SSE4.1 support for x86
Add handling of PTEST to VEX/priv/guest_x86_toIR.c based on the
guest_amd64_toIR.c implementation (dis_xTESTy_128 and finish_xTESTy,
but only for 128 bit PTEST). Take tests from amd64/sse4-64.c with same
test vectors to make sure flag results are the same.
Paul Floyd [Wed, 1 Apr 2026 19:42:52 +0000 (21:42 +0200)]
FreeBSD sanity-level checks: clean up maybe_merge_procmap_stack()
This was using hard coded max stack size values. Use sysctl instead,
as suggested in the comments.
S$xlight complication for x86 on amd64 - need to checks
compat.ia32.maxssiz first. If that fails then the binary is
running on an x86 kernel and fall back to using kern.maxssiz.
Martin Cermak [Tue, 31 Mar 2026 15:50:48 +0000 (17:50 +0200)]
Bug 514297 - Track madvise MADV_GUARD_INSTALL in address space manager
Linux 6.13+ and Glibc 2.42+ introduce lightweight stack guard
pages based on madvise() syscall.
The purpose of a guard page is to prevent buggy (or malicious)
code from overrunning a memory region. An inaccessible page
placed at the end of a region will cause a segmentation fault
should the running process try to read or write to it;
well-placed guard pages can trap a number of common buffer
overruns and similar problems. Prior to 6.13, though, the only
way to put a guard page into a process's address space was to set
the protections on one or more pages with mprotect(); that works,
but at the cost of creating a new virtual memory area (VMA) to
contain the affected page(s). Placing a lot of guard pages will
create a lot of VMAs, which can slow down many memory-management
functions.
The new guard-page feature addresses this problem by working at
the page-table level rather than creating a new VMA. A process
can create guard pages with a call to madvise(), requesting the
MADV_GUARD_INSTALL operation. The indicated range of memory will
be rendered inaccessible; any data that might have been stored
there prior to the operation will be deleted. There is an
operation (MADV_GUARD_REMOVE) to remove guard pages as well.
With glibc commit a6fbe36b7f31 and others, a guard page is
installed for each new thread. In the future, guard pages might
be used also for DSOs supporting multiple kernel page sizes.
Except for madvise, a guard page may also be removed via
munmap(). This update introduces the support for this new type
of linux guard pages into Valgrind.
Add new --max-guard-pages command line switch to allow
customizing the maximal count of guard pages Valgrind can handle.
Add new testcase memcheck/tests/linux/madv_guard.
Paul Floyd [Mon, 30 Mar 2026 11:25:52 +0000 (13:25 +0200)]
Darwin regtest and suppressions: more for Darwin 19
I upgraded my VM host and I suspect that this changed the default
CPU features and CPUID. Result: new races for DRD and Helgrind
in the getaddrinfo, one new leak in dyd and lots of new allocations
picked up by the massif tests.
Paul Floyd [Thu, 26 Mar 2026 19:28:14 +0000 (20:28 +0100)]
Darwin regtest: make new version of scripts shell test
The behaviour of /bin/sh changed with macOS 10.15. When trying to
exec a new process that will fail the child process still gets
created. On older versions of macOS execve fails like it does on
Linux and FreeBSD.
On Darwin, the shell test now gets run twice, once normally and
once with --trace-children=yes.
Andreas Arnez [Thu, 26 Mar 2026 12:33:17 +0000 (13:33 +0100)]
s390x: Exploit "load address" in isel
Compared to AGHI, the "load address" instrucions LA and LAY can be
beneficial for register allocation since they allow for distinct source
and destination operands. This can often avoid unnecessary register
moves.
Andreas Arnez [Thu, 26 Mar 2026 12:33:17 +0000 (13:33 +0100)]
s390x: Exploit instructions for bitwise NAND and NOR in isel
Newer z/Architecture machines have the instructions NORK and NOGRK for
calculating bit-wise NOR, as well as NNRK and NNGRK for bitwise NAND.
Exploit those when applicable.
Andreas Arnez [Thu, 26 Mar 2026 12:33:17 +0000 (13:33 +0100)]
s390x: Exploit `and/or with complement' in isel
The miscellaneous-instruction-extensions facility 3 provides the
z/Architecture instructions NCRK, NCGRK, OCRK, and OCGRK. For operands
`a' and `b' these bitwise operations yield
a and not(b)
a or not(b)
Exploit these instructions in the instruction selector.
Florian Krohm [Wed, 25 Mar 2026 10:01:08 +0000 (10:01 +0000)]
VEX: Remove unused files
These files are leftovers from the time when VEX code was stored in a
separate repository. The files were never shipped, were intended for
developer use only and are no longer useful.
Paul Floyd [Tue, 24 Mar 2026 20:01:19 +0000 (21:01 +0100)]
FreeBSD regtest: add another expected for realpathat2
FreeBSD 16 has added several changes to realpathat. Some of those
are just swapping strlcat with strlcpy. I could add that to the
filter. However, the strlcat also has an extra invalid read.
Paul Floyd [Tue, 24 Mar 2026 07:48:57 +0000 (08:48 +0100)]
Darwin env vars: mostly revert not setting DYLD_SHARED_REGION for Darwin 20 and later.
Sigh. The default value ought to work. Tested on macOS 10.14. It worked.
Tested on macOS 10.15. It worked. Tested on macOS 11. It worked.
Tested on macOS 12. It worked. Pushed the code.
Paul Floyd [Sun, 22 Mar 2026 18:45:42 +0000 (19:45 +0100)]
Helgrind xml filter: fix for hex value filtering
The hex raplacement was using
"0x([0-9a-zA-Z]+)" => "........",
On Darwin 17 one testcase has a line
<unique>0xe</unique>
After matching we do global replacement of capture $1. In this case
that was 'e' and the result of global replacement was
<uniqu........>0x........</uniqu........>
That then failed to match the replacement
"<unique>(.*)</unique>" => "...",
I've just moved the '0x' into both the key and the pattern.
That reduces the chances of accidental matches. A better fix
would be to use more context for the replacement.
Paul Floyd [Sun, 22 Mar 2026 16:18:41 +0000 (17:18 +0100)]
NEWS: add bug 511461 Darwin 17 (MacOS X 10.13) memcheck issues
I think I've done about as much as I can reasonably do for this.
Will open new issues if necessary.
Remaining regtest faulures are due to:
many many many Darwin leaks
debuginfo differences
unsupported x86 opcodes
libpthread race in stack teardown (?) - fixed in macOS 10.14
Darwin has different output of v.info monitor request
Florian Krohm [Sat, 21 Mar 2026 18:04:25 +0000 (18:04 +0000)]
s390: Fix compilation of testcases with clang 20.1.8
bfp-fpc.c: The SRNMB insn requires the floating-point extension.
Add -march=arch9 to compile flags which corresponds to z196 which is
the minimum requires machine model.
The clang error is apparently triggered by the mnemonic. C.f. bfp-convert.c
which also uses insns requiring the floating-point extension. But those insns
are pieced together in a different way avoiding the mnemonic.
ex.c, exrl.c: The SGRK insn requires the distinct-operands facility.
Add -march=arch9.
vecdiv.c, vme.c: The insns require the vector facility.
Add -march=z13.
tmxx.c: The LOCGR insn requires the load/store-on-condition facility.
Add -march=arch9.
Paul Floyd [Fri, 20 Mar 2026 21:03:14 +0000 (22:03 +0100)]
Darwin: add only necessary env vars
We were always adding DYLD_SHARED_REGION. On macOS 11+ this isn't
necessary and we can just leave dyld do its thing. If we
don't add it we don't need to remove it either.
Andreas Arnez [Fri, 20 Mar 2026 12:11:03 +0000 (13:11 +0100)]
s390x: Fix vec3 test case when using clang
The llvm assembler behaves differently from gas when dealing with
unassigned bits in an .insn directive. While gas fills them with the
given instruction text, clang sets them to zeroes.
The `vec3' test case exploits filling these bits in TEST_V3OP, thus it
fails when compiled with clang. Fix this by using VRI instead of VRR and
assigning fixed registers to the missing vector operands in that format.
The issue also applies to TEST_VBLEND, but since VBLEND is just another
3-input-operand instruction, treat it like that and drop the special
handling.
Paul Floyd [Thu, 19 Mar 2026 13:10:49 +0000 (14:10 +0100)]
Darwin: don't remove VALGRIND_LAUNCHER from vg_cleanup_env
It gets put there by launcher-darwin.c but it was already removed
by initimg-darwin.c by the time the preloads get loaded and this
function marked constructor runs.
I'll probably also look at not bothering to set DYLD_SHARED_REGION=use
on macOS >= 11 since that is the default.
Paul Floyd [Wed, 18 Mar 2026 19:41:00 +0000 (20:41 +0100)]
Bug 512291 - Valgrind on Solaris should drop support for long gone /dev/crypto framework
Initial patch provided by Vladimír Marek <vlmarek13@gmail.com>.
I've changed it a bit to add a configure test and break out a new
solaris regtest, scalar_crypto.
Andreas Arnez [Wed, 18 Mar 2026 17:27:44 +0000 (18:27 +0100)]
s390x: Slightly optimize AND/OR/XOR with immediates
In host_s390_defs.c, when generating code for AND, OR, or XOR with a
64-bit immediate value, two instructions are emitted: one for each 32-bit
half of the full 64-bit value. In cases where the value only affects the
low or the high half of the result, one of these instructions becomes a
no-op.
For these cases, just suppress the effective no-op instructions.
Andreas Arnez [Wed, 18 Mar 2026 17:27:44 +0000 (18:27 +0100)]
s390x: Fix negative signed immediate operands in code gen
The helper functions that check whether an integer constant fits into a
16-bit or 32-bit signed immediate operand always return false for negative
values. This prevents the use of negative immediate operands altogether
and may lead to unnecessarily clumsy code being emitted, such as
However, the previous code was perhaps a bit obscure. So instead of
reverting to that, use simple checks like "val + 0x8000 <= 0xFFFF",
exploiting standard C integer semantics.
Paul Floyd [Wed, 18 Mar 2026 06:48:39 +0000 (07:48 +0100)]
Darwin regtest: fix compilation of gdbserver_tests/self_invalidate.c
This test checks for amd64 or mips. For amd64 it uses syscall 64.
That is 'exit' on Linux, 'umask' on both FreeBSD and Solaris
(which seems to work by accident). On Darwin it isn't a valid
syscall number which causes a Valgrind error.
Now Darwin uses syscall 0x02000001 (exit) and the test passes.
Paul Floyd [Sat, 14 Mar 2026 13:30:34 +0000 (14:30 +0100)]
Regtest: fix use of -no-pie
This should be a linker option only (-fno-pie is the compiler equivalent
which we don't need with out small one file testcases). Use it with
-Wl,-no-pie because not all platforms support PIE and it may produce
a warning when used with the compiler as linker driver.
Paul Floyd [Sat, 14 Mar 2026 11:11:23 +0000 (12:11 +0100)]
Linux regtest: update scalar to run under WSL
Several syscalls like getuid fail and set ENOSYS on WSL.
(I guess that there is too much difference between
the Linux user/group/other IDs and whatever Windows uses).
Added a macro that covers both cases.
Paul Floyd [Sat, 14 Mar 2026 07:26:59 +0000 (08:26 +0100)]
More consistent use of VG(strcmp)
In e43f320b504a99edc45f1b5d0dce6fabde023b93 I silenced -Waddress warnings
coming from VG_STREQ which does NULL pointer checks then calls VG_(strcmp).
If the argument is a char array it can't be NULL. I changed using the
macro to directly calling VG_(strcmp). In the same places there were
still some uses of VG_STREQ and mixing macros and direct calls is confusing.
It's safe to only make direct calls to VG_(strcmp) - the arguments are already
checked or are string literals.
Florian Krohm [Fri, 13 Mar 2026 22:36:23 +0000 (22:36 +0000)]
s390: Add VEX_HWCAPS_S390X_MRMM
In b640fa64b8 z196 was chosen to be the minimum required machine
model. That machine provides a list of facilities (aka hardware
capabilities). But show_hwcaps_s390x did not show them.
This patch adds VEX_HWCAPS_S390X_MRMM (where MRMM means Minimum Required
Machine Model) which represents all hardware capabilities of that machine.
Also: drop the "s390x" prefix in show_hwcaps_s390x because "s390x" isn't
a hardware capability.
When running with -d hardware capabilities are shown like so:
--1085356:1: main ... arch = S390X, hwcaps = z196-vx-msa5-mi2-lsc2-vxe-dflt-vxe2-vxd-msa8-msa9-msa12
Paul Floyd [Fri, 13 Mar 2026 12:40:37 +0000 (13:40 +0100)]
Darwin regtest: small tweak for memcheck str_tester
On Darwin 17 (macOs 10.13) this test fails standalone and under
Valgrind.
The failing test is
check(memcmp("a\203", "a\003", 2) > 0, 6);
I think that the compiler is using a builtin that does not behave
identically to libc memcmp. It's all a quastion of signed and
unsigned char. If char is unsigned then \203 is positive and
greater than \003. This is the Darwin libc behaviour. If
char is signed \203 is negative and the return value is negative
and the test fails. That seems to be the builtin behaviour.
This change inhibits use of a builtin for that one test.
Paul Floyd [Thu, 12 Mar 2026 20:27:07 +0000 (21:27 +0100)]
Bug 513844 - Support macOS 13.0 (Ventura)
Preliminary support.
On macOS 10.13, 10.13, 10.15, 11 and 12 I get around 80 regtest failures
(mostly due to macOS's propensity to leak, but also some due to debuginfo
differences).
With macOS 13 that figure goes up to about 80. I haven't analysed all
problems. There are certaainly memory map issues - I thinks that
some syscalls like kernelrpc_mach_vm_deallocate_trap are causing
mapped blocks of memory to be split in ways thnat we're not handling
correctly. That results in --sanity-level=3 failures.
Paul Floyd [Wed, 11 Mar 2026 21:02:49 +0000 (22:02 +0100)]
Darwin initimg: fix location for start of stringtable on x86
I was calculating the remainder (%16) rather than the amount needed
to round up to the next multiple of 16. That worked on amd64
where it is 0 or 8 either way. On x86 4 and 12 were the wrong
way round.
Andreas Arnez [Tue, 10 Mar 2026 17:20:01 +0000 (18:20 +0100)]
s390x: Simplify POPCNT logic in host_s390_defs.c
With the exploitation of the POPCNT instruction, the new s390_insn_tag
S390_INSN_POPCNT was introduced. This requires handling the new tag in
s390_get_reg_usage(), s390_insn_map_regs(), and s390_insn_as_string(), as
well as providing the interface function s390_insn_popcnt().
All of this can go away when using the existing S390_INSN_UNOP instead and
just adding a new unary operation type to s390_unop_t. So do this.
Paul Floyd [Tue, 10 Mar 2026 08:41:01 +0000 (09:41 +0100)]
Darwin: add printing function for env and apple pointer area
Change DEBUG_ENV_APPLE to use it. It will print env and the
apple pointer area at the start of setup_client_stack
(what we get from 'valgrind' and the OS) and at the end
of the same function (what we give tot he client).
Paul Floyd [Mon, 9 Mar 2026 07:05:39 +0000 (08:05 +0100)]
Darwin stack size
Darwin wasn't using --main-stacksize. Instead the stack was being set
based on rlimit (in my tests I saw that it could also be set from
macho, but it appears to specify a size of 0, at least on regtest
files compiled on macOS 12.
Also unlike other OSes there was no lower/upper limit of 1MB
and 16MB.
It looks like all four platforms now have duplicated code for setting
the main client stack size, so I should probably factor it out into
something like VG_(get_default_stack_size)().
With this change I tried to get the lsframe1 and lsframe2 tests to work.
With some twiddling of the stack and frame size they seem to work.
One issue is that Darwin has a function that probes below the stack.
I think that is related to stack growth. We don't implement a grow down
stack on Darwin. The whole stack gets mapped in one go. So this probing
does not serve much purpose under Valgrind but it does generate a lot of
memcheck noise.
~t seems as though the name of this probe function changed with
macOS 12. Previously it was __chkstk_darwin_probe. With macOS 12
it is ___chkstk_darwin. So I added a couple of wildcards to the suppressions
so that they match both versions.
Paul Floyd [Sun, 8 Mar 2026 20:32:23 +0000 (21:32 +0100)]
Darwin initimg: exit if VG_(do_exec) fails, clean up use of executable_path
There was a compiler warning because the return from VG_(do_exec)
was unused. Check it and exit, like other OSes. No point trying
to continue if we can't load the guest exe.
Also in setup_client_stack there was some confusion over what to do
if info->executable_path is NULL. I'm pretty sure that without
a guest exe name we can never get this far. So I've just added
an assert.
Paul Floyd [Fri, 6 Mar 2026 20:13:40 +0000 (21:13 +0100)]
Add a section about mismatched free errors when using identical code folding to the FAQ.
See Bug 517126 - Mismatched frees with ICF
I haven't added this to NEWS since it's not really a bug
(the linker writers deem this to be an error that is safe).
Other than telling users not to use ICF linker options we don't have a fix.
Andreas Arnez [Thu, 5 Mar 2026 12:25:07 +0000 (13:25 +0100)]
Bug 503240 - s390x: Support MSA 10, 11, 12, and 13
Add support for the message-security-assist extensions 10-13. These
extensions don't add any new instructions, but add new capabilities to
existing instructions.
Florian Krohm [Wed, 4 Mar 2026 22:23:18 +0000 (22:23 +0000)]
regtest: Support make regtest BUNSEN=no
Inhibits the generation of .log and .trs files which are only of use
for post-processing with bunsen. For those of us who like tidy
working copies.
vg_regtest: New command line option --no-bunsen
projects / thirdparty / valgrind.git / log
